NOTICE pursuant to article 13 of Regulation (EU) 2016/679 ("GDPR")

NOTICE pursuant to article 13 of Regulation (EU) 2016/679 ("GDPR")

Dear User, Piaggio & C. S.p.A. welcomes you to our web site("the Website") and invites you to pay attention to the following Notice ("the Notice"), issued pursuant to article 13 of Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data, and on the free movement of such data ("GDPR").

This document contains a description of all the processing carried out by the Data Controller, as defined below, through the Website.

Please note that the Notice only concerns the Website; therefore any web page to which you may be redirected from the Website is deemed to be excluded.

In addition, if you purchase products or use Piaggio services through official Piaggio channels rather than through the Website, at the time of such purchase or use you will be issued with a specific Notice pursuant to art. 13 of the GDPR relating to your personal data processed at that moment.

The Data Controller has also appointed a Data Protection Officer ("DPO"), whom you may contact directly to exercise your rights and to receive any information concerning the processing of your personal data and/or concerning this Notice, by writing to:

Data Protection Officer – DPO

Viale Piaggio 25

56025 PONTEDERA (PI)

email: dpo@piaggio.com

Fax: +39 0587272961

Tel: +39 0587272495

2. The personal data we process

2.1 Browsing data

During their normal operation, the computer systems and software procedures used to operate the Website acquire certain personal data, the transmission of which to the Data Controller is implicit in the use of internet communication protocols.

This is information that is not collected to be associated with identified data subjects, but which by its very nature could, through processing and association with data held by third parties, allow users to be identified.

This category of data includes the IP addresses or domain names of the computers used by users connecting to the site, the addresses of the requested resources in URI (Uniform Resource Identifier) notation, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numeric code indicating the status of the response given by the server (success, error, etc.) and other parameters relating to the operating system and the user's computer environment.

This data is used only to obtain anonymous statistical information on the use of the site and to check that it is working correctly; it is deleted after processing. The data could be used to establish responsibility for potential cybercrime against the Website.

2.2 Data provided voluntarily by the user

The Data Controller processes the following personal data provided by you when you fill in the formats (masks) on the Website:

3. The purposes for which your personal data is processed and the legal basis of processing

The personal data you provide by filling in the various masks on the Website is processed by the Data Controller for the following purposes.

3.1 Provision of services and sale of products

The Data Controller wishes to process your personal data in order to give you access to the Website, for purposes strictly related to the online sale of products and the provision of online services offered from time to time by the site- in particular, to respond to your requests to receive information on products and services offered by the Data Controller, for the management of "test ride" requests, to allow you to access promotions and offers on the Website, to accept your possible request to participate in our Community, and to provide you with any assistance you might request from our Customer care.

Nature of the data processing consent: Optional.

Consequences of refusal to allow data processing: Failure to give consent will make it impossible for the Data Controller to meet your requests as described in the first paragraph above.

Legal basis of the processing: Article 6 (1) (b) of the GDPR. It is therefore not necessary to obtain your prior consent to allow processing.

Personal data retention period: Your personal data obtained for these purposes will be processed for the time strictly necessary to comply with your request and will be subsequently retained for the time required by the applicable regulations after such compliance.

3.2 Marketing activities on products and services similar to those already requested by the User

The Data Controller wishes to process your personal data in order to send you commercial communications relating to products and services similar to those requested by you and offered by the Data Controller and through the Data Processors duly appointed pursuant to art. 28 of the GDPR.

Purposes of the processing: Sending advertising material, promotion and sale of products, market surveys and research and/or commercial communications.

Nature of the data processing consent: Optional.

Consequences of refusal to allow data processing: Failure to give consent will make it impossible for the Data Controller to send you promotional and marketing communications.

Legal basis of the processing: Legitimate interest.

Personal data retention period: Your personal data obtained for this purpose will be processed until you decide to object to the processing and/or to obtain termination of the processing at any time.

3. Marketing activities
The Data Controller wishes to process your personal data in order to send you commercial communications relating to all products and services offered by the Data Controller and through the Data Processors duly appointed pursuant to art. 28 of the GDPR.

Purposes of the processing: Sending advertising material, promotion and sale of products, market surveys and research and/or commercial communications.

Nature of the data processing consent: Optional.

Consequences of refusal to allow data processing: Failure to give consent will make it impossible for the Data Controller to send you promotional and marketing communications.

Legal basis of the processing: Consent

Personal data retention period: Your personal data obtained for this purpose will be processed until you decide to object to the processing and/or to obtain termination of the processing at any time.

4. The methods used to process your personal data

Your personal data will be processed in compliance with the provisions of the GDPR using paper, computer and telematic means, using methods strictly related to the specified purposes and in all cases guaranteeing security and confidentiality in accordance with the provisions of article 32 of the GDPR.

5. Persons to whom your personal data may be communicated or who may become aware of it

To fulfil the purposes described in point 3 above, your personal data will be known by the Data Controller's dependent and quasi-dependent personnel and by its contractors, all acting in the capacity of persons authorised to process personal data.

In addition, your personal data will be communicated and processed by third parties belonging to the following categories:

Persons used by the Data Controller to manage the Website

b. Companies that manage the Data Controller's computer system

Companies and consultants providing legal and/or financial advice

Authorities and supervisory and control bodies, and in general public or private entities with functions relating to public law

e. Persons used by the Data Controller for various reasons to provide the requested service

f. other Piaggio Group companies, for the purposes of marketing, direct sales, market surveys and for statistical processing such as monitoring the degree of customer satisfaction in relation to the services and products offered by Piaggio and/or other Piaggio Group companies, as well as for communication to third parties (e.g. suppliers) if this is necessary to enable you to benefit from our services.

You have the right to revoke the consent you may have provided at any time. This will make it impossible for the Data Controller to continue to use your personal data for the purpose in respect of which you have refused consent.

In some cases, the persons belonging to the foregoing categories operate in complete autonomy as separate Data Controllers; in others, they operate as Data Processors specifically appointed by the Data Controller in compliance with article 28 of the GDPR.

A complete and updated list of the persons to whom your personal data may be communicated can be requested from the registered office of the Data Controller or by contacting its DPO.

Your personal data will not be transferred to third parties outside the European Union and will not be disseminated.

6. Data of minors

The Data Controller does not process the personal data of persons under the age of 16 for the purposes referred to in sections 3.1 and 3.2 above.

If the User says that he/she is less than 16 years old, the field relating to the giving of consent will be pre-completed with a negative response.

7. Geolocation data

The site may collect and process geolocation data for the provision of services requested by the User, subject to the specific consent of the data subject, which can be withdrawn at any time. In this case, consent will be requested through a pop-up.

8. Your rights as a data subject

In relation to the processing described in this Privacy Notice, as a data subject you can, under the conditions specified by the GDPR, exercise the rights enshrined in articles 15 to 21 of the GDPR and, in particular, the following rights:

Right of access – article 15 of the GDPR: The right to obtain confirmation of whether personal data concerning you is being processed and, if it is, to obtain access to your personal data – including a copy thereof – and notification of the following information, inter alia:

Purposes of the processing

Categories of personal data processed

Recipients to whom the data has been or will be communicated

Data retention period or the criteria used

Rights of the data subject (rectification or erasure of personal data, restriction of processing and the right to object to processing

Right to complain

Right to receive information on the origin of personal data if it has not been collected from the data subject

The existence of an automated decision-making process, including profiling

Right to rectification – article 16 of the GDPR: The right to obtain, without undue delay, the rectification of inaccurate personal data concerning you and/or the completion of incomplete personal data

Right to erasure (right to be forgotten) – article 17 of the GDPR: The right to obtain, without undue delay, the erasure of personal data concerning you, when:

The data is no longer necessary in relation to the purposes for which it was collected or otherwise processed

You have withdrawn your consent and there is no other legal basis for the processing

You have successfully objected to the processing of personal data

The data has been unlawfully processed

The data must be erased to fulfil a legal obligation

The personal data has been collected in relation to the offer of information society services referred to in article 8 (1) of the GDPR.

The right to erasure does not apply where the processing is necessary for the fulfilment of a legal obligation or for the performance of a task carried out in the public interest or for the establishment, exercise or defence of rights in legal proceedings.

Right to restriction of processing – article 18 of the GDPR: Right to obtain restriction of processing, when:

The data subject disputes the accuracy of the personal data

Processing is unlawful and the data subject objects to erasure of the personal data and requests restriction of its use instead

the controller no longer needs the personal data for the purposes of the processing, but the personal data is required by the data subject for the establishment, exercise or defence of rights in legal proceedings

The data subject has objected to processing as indicated above, pending the verification whether the legitimate grounds of the controller override those of the data subject.

Right to data portability – article 20 of the GDPR: The right to receive, in a structured, commonly used, machine-readable format, the personal data concerning you which has been provided to the Data Controller, and the right to transmit it to another Data Controller without hindrance, providing that processing is based on consent and is carried out by automated means. Also, the right to arrange for your personal data to be transmitted directly from the Data Controller to another data controller if this is technically feasible.

Right to object – article 21 of the GDPR: The right to object, at any time, to the processing of personal data concerning you, based on to the legitimacy of the legitimate interest, including profiling, unless there are legitimate grounds for the Data Controller to continue processing that override the interests, rights and freedoms of the data subject; or for the establishment, exercise or defence of a right in legal proceedings.

Right to make a complaint to the Italian Data Protection Authority, Piazza di Montecitorio no. 121, 00186, Rome (RM).

The above-mentioned rights may be exercised against the Data Controller by writing to the contact addresses indicated in point 1. The Data Controller will take charge of your request and, without undue delay and, in any event, no later than one month after receipt of the request, notify you regarding the action taken in respect of your request.

Exercising your rights as a data subject shall be free of charge pursuant to article 12 of the GDPR. In the case of manifestly unfounded or excessive requests, however, in particular because of their repetitive character, the Data Controller may charge a reasonable fee, to reflect the administrative costs incurred in handling your request, or refuse to act on it.

Finally, we inform you that the Data Controller may request further information necessary to confirm the identity of the data subject.

COOKIES POLICY

We hereby inform you that Piaggio uses cookies to make the web browsing experience better for all Users who visit the Website.

A cookie is a small file that the Website transfers to the User’s browser, where they are stored to be retransmitted to the Website at the next visit by the same User.

The cookies are used for different purposes such as: running computer authentication, session tracking, storing information about specific configurations of users accessing the server.

Cookies allow the Website to remember User's data for the length of the duration of the visit or for subsequent visits, allowing the User to browse between pages efficiently, storing the User's preferences, and allowing the User to interact with social networks such as Facebook, Google+, Instagram; they also offer Google Map services.

Cookies may also be used to store the login data of the User and therefore automatically recognise the User (making it unnecessary to login every time the User accesses the Website).

Data is processed with the aid of electronic or in any case automated, computerised or telematic devices, using approaches strictly connected to the purposes indicated above and, in any case, to ensure the security and confidentiality of the data.

Technical cookies (which do NOT require your consent)

According to current legislation in Italy, express consent is not always required for the use of cookies. In particular, no such consent is required for technical cookies, i.e. those used for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary to provide a service explicitly requested by the user. These are, in other words, cookies essential for the functioning of the website or necessary to perform tasks requested by the user.

The Italian Authority for the Protection of Personal Data considers the following cookies as technical cookies, which do not require consent for their use:

analytics cookies when used directly by the website manager to collect information, in aggregate form, on the number of users and how they visit the website,

browsing or session cookies (to login, to make a purchase, etc.),

functionality cookies, which allow the user to browse according to a set of selected criteria (for example, language, the products selected for purchase) in order to improve the service rendered to the same.

Profiling cookies (which require your CONSENT) Our site also uses profiling cookies that we can only install with your prior consent.

Profiling cookies are designed to create profiles about the Users and are used to send advertising messages in line with the preferences expressed by the User during browsing. These cookies are used to present the best content to the users according to their interests. These types of cookies can be used to display targeted advertisements or to limit the number of times an advertisement is shown. Given the considerable invasion of users’ private lives that these devices can involve, Italian and European legislation requires the User to be properly informed on the use of these cookies and to grant valid consent. Profiling cookies require the prior free informed consent of the User, which the Site obtains in the forms specified in the Regulations, using the banner that appears on the first visit, as well as through the full notice allowing the user to grant or refuse the relative consent.

First-party and third-party cookies

If the cookies received from the User’s terminal are installed directly by the manager of the website that the User is visiting, then they are first-party cookies. While browsing on the Website, the User may however receive cookies from different websites or web servers (“third-party cookies”) that may include some elements (e.g. images, maps, sounds, specific links to pages on other domains) on the website that the User is visiting. These cookies are set by a website other than the one currently being visited.

Blocking cookies

Users can select which cookies to allow through the appropriate procedure provided below, as well as authorise, block or delete (in whole or in part) cookies through specific functions of their browser: nevertheless, in the event that all or some cookies are disabled, it is possible that the website cannot be consulted or that some services or certain functions of the website are not available or are not working properly and/or Users could be forced to change or manually enter certain information or preferences each time they visit the website.

If you want to modify your cookie settings, brief instructions are provided below on how to do this in the four most popular browsers:

Microsoft Internet Explorer

Click the 'Tools' icon in the upper right corner and select 'Internet Options'. In the pop-up window select 'Privacy'. Here you can adjust your cookie settings.

Google Chrome

Click the 'wrench' icon in the upper right corner and select 'Settings'. Then select ‘Under the hood’ and change the settings in the 'Privacy' section.

Mozilla Firefox

From the pull-down menu in the upper left corner, select 'Options'. In the pop-up window select 'Privacy'. Here you can adjust your cookie settings.

Safari

From the pull-down menu in the upper right corner, select 'Preferences'. Select 'Security' and here you can adjust the settings of your cookies.

As already envisaged in the banner that immediately appears when first visiting the website, consent to the use of all cookies can be provided by Users by selecting the virtual acceptance key (e.g. an OK, a tick, etc.) or by continuing to browse the website (e.g. ignoring the banner/pop-up and performing further operations). Users will also have free access to the extended disclosure link, complete with all cookie information (description, purpose and storage), in which the User will be able to provide consent only for certain categories of cookies.

Types of cookies

To ensure proper cookie management, as well as conscious consent to their use or otherwise, a summary is provided below of the different categories of cookies.